01Evaluate
Bring the evidence into your own review.
Use any AI model. Raw Saudi personal data stays in Saudi. Compliance built in. This page gives your team the artifacts to verify that claim yourself — open the files, run the commands, skip the sales summary.
02Pick your path
Start with the packet that matches your role.
You should not need to read the whole site first. Choose the closest role, open the short packet, and bring that packet to a 30-minute call.
Compliance
I'm evaluating for compliance.
DPO and legal teams: PDPL role split, Article 29 posture, subject rights, DPA/SCC, and DPIA fit.
Open the compliance packet →Security
I'm evaluating for security.
Security leads: signed evidence, isolation, encryption, subprocessors, known constraints, and benchmark artifacts.
Open the security packet →Procurement
I'm evaluating for procurement.
Business buyers: what DataSitr does, which tier to discuss, who needs to review, and what is not yet claimed.
Open the procurement packet →03Verify it yourself
Open the files. Run the commands. Don't take our word for it.
Verifiable artifacts for a procurement, diligence, or security team. If the numbers or wording matter to your team, validate them from the published JSON and reviewer pack — not from screenshots or forwarded notes.
Where we draw the line is published too — see Where the boundaries live below.
curl -s …/resources/control_matrix.json | jq '.summary'
python3 scripts/verify_compliance_reviewer_bundle.py <bundle> --trusted-public-key <key.pem>
python3 scripts/validate_pdpl_citations.py
# Inspect the public control-matrix summary
curl -s https://datasitr.com/resources/control_matrix.json | jq '.summary'
# Verify the signed reviewer bundle against a trusted key
python3 scripts/verify_compliance_reviewer_bundle.py <bundle-path> --trusted-public-key <trusted-key.pem>
# Audit every PDPL article citation in the codebase
python3 scripts/validate_pdpl_citations.py// Live surfaces you can inspect during a pilot — operating today, not on a roadmap slide
- Dashboard compliance tab — processing records, DPIA, audit summary, evidence pack, and compliance bundle, all with copy + download for procurement review.
- Control-matrix summary + reviewer pack — public human-readable and machine-readable summary files plus the buyer-safe reviewer brief for the signed compliance bundle.
- Benchmark artifacts — public benchmark page, detector precision/recall JSON, load-baseline JSON, and the PII benchmark snapshot.
- Dedicated regulator portal — read-only regulator access during evaluation, by request — cross-tenant processing records, SDAIA-shaped report builders, scoped signed-package generation, and a separate regulator access log.
04Buyer questions, answered
The questions reviewers ask first.
The six questions enterprise reviewers ask first, each with the artifact or live surface that answers it.
DataSitr uses automatic privacy routing to catch and tokenize PII before external AI calls. Start with the public matrix summary and trust page, then request the signed reviewer bundle for control-level inspection.
Vault encryption uses AES-256-GCM with per-tenant key derivation. The current live baseline continues to bootstrap its startup master key through Alibaba KMS on ACK.
The live pilot includes subject-rights tooling, consent withdrawal, subject export PDF, and related audit surfaces. The public compliance page summarizes the right/destruction split, and the signed reviewer bundle carries the control-level mapping.
Yes, within the published proof boundary: use the public control-matrix summary, the compliance reviewer pack, the benchmark artifacts, and the signed reviewer-bundle verification flow.
The live pilot includes breach-register management alongside related compliance surfaces. Reviewers should inspect the compliance page, the control matrix, and the regulatory-audit references rather than relying on generic marketing claims.
One centralized list on the compliance page covers the items buyers ask about first — no external pen-test completed, no completed provider SCC/DPA/TIA package, no HSM-backed custody, no regulator-awarded status, no full-vault verification, and no unplanned full-region failure tolerance claim. Procurement, security, and legal reviewers all see the same explicit constraints from one place.
05Where the boundaries live
One list. One page. One source of truth.
Procurement, security, and legal reviewers all read the same constraints from /compliance — by design.
Centralizing every constraint on a single public page is itself an architectural choice. It means buyers don't have to chase footnotes across the site, every reviewer sees the same wording, and we can't accidentally claim something on one page we've ruled out on another.
The current published constraints include: external penetration test (not yet completed), provider SCC/DPA/TIA package (not yet completed), HSM-backed key custody (not claimed), regulator-awarded status (not awarded), full-vault verification (separate), and unplanned full-region failure tolerance (not claimed).
06Pilot intake
Take the evidence into your review.
When your team is ready, request a pilot and bring your role packet to a 30-minute call.
Approval-gated
Request a pilot.
Pilots are scoped and approval-gated — there is no self-serve sign-up and no free trial. Request one through the founder / DPO with your tenant name and intended use case, and we will scope it with you. Access to any configured path stays operator-approved.
Bring the evidence to the table.
Open the role packet, run the checks, and let your reviewers see the same constraints we publish.